Add Étienne's personal SSH public keys (one per dev machine: aaron, tower, leod) as agenix recipients so secrets can be decrypted without sudo.
Context: Currently only machine host keys are recipients in secrets/secrets.nix. Adding user keys is a standard agenix pattern — machine keys handle deployment, user keys handle dev/editing workflows. This also allows Claude Code agents to decrypt secrets without needing sudo.
Steps:
- Collect
~/.ssh/id_ed25519.pub from each dev machine (aaron, tower, leod)
- Add to
secrets/secrets.nix as softAaron / softTower / softLeod, grouped into allSoftKeys
- Add
allSoftKeys to recipients of dev-facing secrets: github-bot-token, openai-api-key, gemini-api-key — skip system secrets (wifi passwords, soft-password, tailscale-authkey)
- Re-encrypt affected secrets with
agenix -r
Originally tracked in #123.
Add Étienne's personal SSH public keys (one per dev machine: aaron, tower, leod) as agenix recipients so secrets can be decrypted without sudo.
Context: Currently only machine host keys are recipients in
secrets/secrets.nix. Adding user keys is a standard agenix pattern — machine keys handle deployment, user keys handle dev/editing workflows. This also allows Claude Code agents to decrypt secrets without needing sudo.Steps:
~/.ssh/id_ed25519.pubfrom each dev machine (aaron, tower, leod)secrets/secrets.nixassoftAaron/softTower/softLeod, grouped intoallSoftKeysallSoftKeysto recipients of dev-facing secrets:github-bot-token,openai-api-key,gemini-api-key— skip system secrets (wifi passwords,soft-password,tailscale-authkey)agenix -rOriginally tracked in #123.